The AAPC submitted comments in February on new privacy rules from the California Privacy Protection Agency. While we welcome clarity, we suggest changes to make them fair and practical. For example, cybersecurity rules should focus on bigger businesses and protect sensitive data. Companies should be able to use existing security standards and not submit extra reports. The rules should also protect trade secrets and not limit advertising unfairly.

---

February 19, 2025

Via Email ([email protected]) 

California Privacy Protection Agency
Attn: Legal Division – Regulations Public Comment
2101 Arena Boulevard
Sacramento, CA 95834

Re: Public Comment on CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations

To Whom it May Concern:

The American Association of Political Consultants (AAPC) welcomes the opportunity to submit comments on the California Privacy Protection Agency’s (“Agency”) proposed regulations that are the subject of the notice of proposed rulemaking dated November 22, 2024.

The AAPC is a bipartisan professional organization of political and public affairs professionals dedicated to advancing the field of political consulting and promoting ethical practices within the industry. The AAPC has over 1,800 members who rely on data to reach, educate, and engage voters in our democratic processes. We respect individuals’ rights to control how their data is used and support well-defined privacy regulations and mechanisms to ensure that companies are following all state and federal laws. 

The AAPC appreciates the Agency’s diligent efforts in drafting the proposed regulations and accompanying draft initial statement of reasons. The AAPC respectfully offers the following proposed revisions to the draft regulations.

• Proposed Revisions to Cybersecurity Audits Regulations

Proposed Revision to § 7120 (Requirement to Complete a Cybersecurity Audit)

California Civil Code § 1798.185(14) requires the Agency to issue regulations “requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to . . . [p]erform a cyber security audit on an annual basis . . . .” The regulation explains that the “factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.”

In turn, draft regulation § 7120 identifies three thresholds for when the processing of consumers’ personal information presents a significant risk to consumers: (1) the business derives 50% or more of its annual revenue from selling or sharing consumer’s personal information in the preceding calendar year; (2) the business processes the personal information of 250,000 or more consumers or households in the preceding calendar year; or (3) the business processes the sensitive personal information of 50,000 or more consumers in the preceding calendar year.

The AAPC respectfully requests that the applicability threshold be linked to personal information that, if compromised, would actually result in a significant risk of harm to consumers. For example, as currently written, a business that processes 250,000 email addresses or 250,000 IP addresses each year would have to perform an expensive cybersecurity audit. 

A better threshold for applicability would be to use the types of personal information that are covered by the state’s data breach notification statute, California Civil Code § 1798.82(h). The legislature has already determined that those data elements are the ones that create a significant risk of harm if compromised. The legislature also has amended that law, when necessary, to expand the definition of personal information to include data elements that are particularly sensitive, including biometric data. Linking the cybersecurity audit to that statute would provide consistency between the two statutory regimes and adequately protect consumers.

Consequently, the AAPC respectfully requests that § 7120(b) be revised as follows:

(b) A business’s processing of consumers’ personal information presents significant risk to consumers’ security if the business processes the personal information, as defined in Cal. Civil Code section 1798.82(h), of 250,000 or more consumers or households in the preceding calendar year.

Proposed Revision to § 7124(f) (Scope of Cybersecurity Audit)

In this regulation, the Agency recognizes that businesses already may engage in cybersecurity audits for their own purposes or to comply with other laws and that such audits may already address the requirements set forth in section 7124. However, this regulation goes on to create an obligation on businesses to provide an explanation of how that audit “meets all of the requirements set forth in this Article.” Ultimately, this requirement will create unnecessary burdens and expense on businesses that are already engaging in appropriate cybersecurity audits.

To mitigate the costs on businesses and streamline compliance, the AAPC respectfully requests that the Agency (1) align the requirements in its regulation to existing widely-recognized audit methodologies or cybersecurity frameworks (e.g., SOC 2, PCI-DSS), (2) affirmatively identify which existing widely-recognized audit methodologies or cybersecurity frameworks satisfy the CCPA’s standard, or (3) provide a mechanism for interested parties to apply to the Agency to confirm that a methodology or framework complies with the CCPA’s standard.  

Deletion of § 7124 (Certification of Compliance)

Section 7124 requires a business to submit a written certification to the Agency that the business completed its cybersecurity audit. This requirement is inconsistent with the text of California Civil Code 1798.185(14). That section specifically states that risk assessments must be submitted to the Agency “on a regular basis.” It does not say that cybersecurity audits must be submitted to the Agency. The inclusion of the submission requirement for risk assessments combined with the absence of such a requirement for cybersecurity audits must be given effect. Accordingly, the Agency should delete § 7124.

• Proposed Modification to Definition of Extensive Profiling

The AAPC respectfully requests that the Agency remove behavioral advertising from its definition of extensive profiling in § 7150 and § 7200.

By way of background, § 7150 requires businesses to conduct risk assessments if they use automated decisionmaking technology for “extensive profiling.” Section 7200(a)(2) allows consumers to opt out of extensive profiling. Extensive profiling is defined in both regulations to include “profiling a consumer for behavioral advertising.” 

The inclusion of behavioral advertising is inconsistent with the CCPA and other state privacy laws.

First, the inclusion of behavioral advertising is inconsistent with the CCPA because the law only provides a right to opt out of the sharing of personal information. Sharing is defined as the transfer of personal information by a business to a third party for cross-context behavioral advertising. Cross-context behavioral advertising is defined as “personal information obtained from the consumer’s activity across businesses, distinctly branded internet websites, applications, or services, other than the business, distinctly branded internet website, application, or service with which the consumer intentionally interacts.” (Emphasis added.)

However, the draft regulation’s definition of behavioral advertising would create a new right to opt-out of targeted advertising “based on the consumer’s personal information obtained from the consumer’s activity . . . within the business’s own distinctly-branded websites, applications, or services.” (Emphasis added.)

If the ballot measure that amended the CCPA wanted to create such a right, it could have easily done so by including it in the definition of “share.” The Agency should not now seek to create such a right through the definition of profiling.

Further, the scope of the Agency’s rulemaking authority should be read in the context of the privacy laws that existed at the time the ballot measure was enacted, such as Europe’s General Data Protection Regulation, which has a similar provision in Article 22. Similarly, the inclusion of behavioral advertising is much broader than the existing triggers for completing data protection assessment under other state privacy laws. For example, the Colorado Privacy Act provides that data protection assessments should be conducted if the profiling presents a “reasonably foreseeable risk of (I) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (II) financial or physical injury to consumers; (III) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, or consumers if the intrusion would be offensive to a reasonable person; or (IV) other substantial injury to consumers.”

Ultimately, the Agency should align its rulemaking with the intent of the CCPA and other privacy laws.

• Protection of Trade Secrets

California Civil Code § 1798.185(a)(14)(B) specifically states that, in preparing and submitting risk assessments to the Agency, “[n]othing in this section shall require a business to divulge trade secrets.” Consistent with that statutory language, the AAPC respectfully requests that the Agency amend § 7157 to add a new part (e), stating:

Nothing in this regulation shall require a business to divulge trade secrets.

Respectfully submitted, 

Alana Joyce 

Executive Director 

American Association of Political Consultants 

[email protected] | 703-245-8021 

www.theaapc.org